A look back at Microsoft’s 2011 security landscape

As far as individual issues, Critical-class CVEs accounted for less than a third of the issues we addressed in bulletin releases for the first time since we began our monthly bulletin-release cadence in 2004. And in absolute numbers, Critical-class CVEs are at their lowest levels since 2005. The fact that we’re seeing lower percentages of Critical issues and bulletins year-over-year demonstrates progress made by the product groups in creating more secure software.

With this regularly scheduled monthly release, our bulletin count for 2011 is 99, with 13 released today. Of those, we determined 10 to be Important-class bulletins, with only three classified as Critical in severity. In 2011, Critical-class bulletins represented just 32 percent of all bulletins – the lowest percentage since we began our monthly bulletin-release cadence in 2004 and, again, the lowest absolute number since 2005. Interestingly, for the second half of the year the numbers are even lower, with under 20 percent of bulletins released in the last six months rated Critical in severity.

Even though there are fewer Critical-class security updates year-over-year, we know that any update has the potential to be disruptive for customers. And so we work hard to make our update process as smooth and transparent as possible for customers – with no surprises. As part of that commitment, in 2011 we were able to address reported security issues effectively without resorting to emergency releases outside of the regular scheduled monthly releases. We understand the disruption that these “out-of-cycle” releases create for customers, and we take the decision to release an update out of cycle very seriously. Effective coordination with product teams, greater use of threat telemetry, the ability to release workarounds, and the ability to release defenses through partners like those in Microsoft’s Active Protection Program (MAPP) have all helped us to release all our 2011 bulletins in the usual monthly process. We’re glad about that, even though we will always reserve the right to release out-of-cycle if the situation merits it.

We also know that a large part of addressing security issues effectively and quickly is dependent on how we work with the community that finds and reports vulnerabilities to us. In 2011, over 80 percent of the issues we addressed were disclosed in a coordinated process. During the second half of the year that rose to over 85 percent. We believe that reporting vulnerabilities in a coordinated manner helps better protect customers and the broader Internet ecosystem and we’re glad that so many in the industry share this sentiment.

However, we didn’t rest on just those numbers. We continued our work with the community, and in the summer of 2011 we made a series of announcements culminating in the kickoff of our first-ever Blue Hat Prize, which will award over a quarter of a million dollars to researchers breaking ground on defensive technologies. This initiative encourages researchers to bring to life mitigations that could potentially address entire classes of vulnerabilities. It’s a big project and we’re incredibly excited about the contest entrants we’ve seen so far. We’ll have more information on the Blue Hat Prize in 2012…we don’t want to spoil the excitement for anyone just yet.

Defensive Technology at Play

2011 also brought strong examples of how defensive technologies can increase the security of the software people use every day. For example, two of the more exciting developments of the year here at the MSRC centered on new and improved mitigations for older versions of Windows and Office. After announcing it in December, we launched Office File Validation (OFV) in April. OFV extends our “Gatekeeper” technology — effective at detecting and blocking potentially dangerous binary-format files from opening in Office 2010 — to the 2007 and 2003 editions of Microsoft Office. Since release, approximately 200 million machines have added OFV to their protection arsenal.

And in February, we made an unprecedented change to how Autorun behaves when you insert a USB key on Windows XP and Vista systems. The change reduced the number of infections that rely on Autorun by 59 percent on Windows XP machines and by 74 percent on Windows Vista machines, in comparison to 2010, with a 68 percent year-to-year overall decline in infections for all PCs running all versions of Windows. That’s a staggering change for the better.

As we approach 2012, we’ll continue to deliver the best-tested, highest-quality bulletins possible while facing the security challenges the new year poses. Whatever’s ahead, we’ll continue to work internally, and with the researchers and partners, to find new approaches to security response while keeping customer protection, as always, as our first priority.